Updates Required by the GDPR

The General Data Protection Regulation (GDPR) includes a set of data privacy laws passed by the European Commission that will go into effect on May 25th, and these laws will require tight controls by any business that handles personal data for European customers.

Since most businesses in the US either serve European clients or expect to at some point in the future, the arrival of the GDPR will require these companies to update their publicly facing documents, including privacy policies and terms of service. Companies affected by the new regulations are quickly producing new and revised statements to replace the previous versions that currently appear on websites, in contracts, and in service agreements.

But rushing to update ToS sheets won’t be quite enough to bring a business into full compliance with the new regulations. This task will need to be checked off the list, for sure, but before a new privacy policy or external terms-of-use agreement is published, businesses should draft and secure internal documentation that can prove the company maintains tight control over the data under its purview.

We recommend appointing a specific individual who can own responsibility for this task.

This person should conduct a deep review of company data management policies and practices, and should produce documentation that reflects:

1. What personal data the company collects and uses, and why. (“Personal data" may include names, ID numbers, location data, and online identifiers).

2. Where the company stores or will store this information.

3. Where the company servers are located, who has access to them, and how this access is tracked.

4. What third parties can access the data (through company servers, a data warehouse, or any other sharing system).

Once this information has been fully investigated, understood, and made available by the designated person, publicly available documents (like ToS documents) can be produced or updated. These documents will need to demonstrate:

1. Transparency into the company's practices in the form of easily digestible and understandable language.

2. Customer ability to access to all personal data being stored and used by the company.

3. The existence of a company system that allows the deletion of an individual's data upon request.

Keep in mind that the GDPR also covers personal data owned by employees. Any EU-based employees who work for the company will need to provide freely-given, informed, and fully revocable consent before their activities are tracked or their data is collected, used and stored.

Also, please note: “freely-given” consent is a disputed concept, since the leverage an employer generally holds over an employee nullifies this term. So we advise companies to move with caution and be prepared to show adequate reasoning behind any decision to accept this consent and use or access any personal information provided by employees.